On Thu, Jul 10, 2008 at 6:29 PM, Filipe Brandenburger <filbranden at gmail.com> wrote: > > Try using "iptables -vL", it will show you how many packets have > matched that rule. Then try to rsh or rlogin and see if the numbers > change. That should give you a clue to whether it's working or not. > Before: 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 619 22772 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited [summarized to include only the relevant ports] After: 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 619 22772 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited Interesting that the shell count went up to 6 and the reject count did not change, but no login occurred: [mrichter at khan mrichter]$ rsh sushi ls sushi: Connection refused I might not have waited long enough for the reject count to go up - just repeated the experiment and got this: [before] 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 627 23044 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited [after] 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 12 720 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 628 23072 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited But why is it still rejecting the login, or is it the placement of the lines? > P.S.: Once again: although it's great that you are digging into the > problem, using iptables, and learning a lot on the process, you should > *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would > consider using rsh/rlogin instead of SSH today about the same as using > gopher instead of the WWW these days (for those of you who still > remember it). Did that - this is just for my better understanding of the whole setup.